[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

[redhat-lspp] [RFC][PATCH 4] MLSXFRM: Bug fix involving unlabeled IPSec

From: Venkat Yekkirala <vyekkirala trustedcs com>
To: redhat-lspp redhat com, ftmedran us ibm com, jmorris redhat com, latten austin ibm com, sds tycho nsa gov, tjaeger cse psu edu
Cc:
Subject: [redhat-lspp] [RFC][PATCH 4] MLSXFRM: Bug fix involving unlabeled IPSec
Date: Fri, 07 Jul 2006 18:42:24 -0500

This should fix the issues encountered today by Joy and Fernando at IBM with not
being able to use unlabeled IPSec policy/associations.

The following mls constraint (modified to allow use of unlabeled IPSec policy rules
if TE policy allowed it) should be used in conjunction with this fix:

mlsconstrain association { polmatch }
        ((( l1 dom l2 ) and ( h1 domby h2 )) or
         ( t2 == unlabeled_t ));

--- linux-2.6.17.i686.patch11.3/include/linux/security.h	2006-07-06 10:33:07.000000000 -0500
+++ linux-2.6.17.i686.patch11.4/include/linux/security.h	2006-07-07 18:10:00.000000000 -0500
@@ -2989,6 +2989,8 @@ static inline int security_xfrm_state_al
static inline int security_xfrm_state_alloc_acquire(struct xfrm_state *x,
				struct xfrm_sec_ctx *polsec, u32 sid)
{
+	if (!polsec)
+		return 0;
	return security_ops->xfrm_state_alloc_security(x, NULL, polsec, sid);
}

--- linux-2.6.17.i686.patch11.3/security/selinux/xfrm.c	2006-07-06 15:28:53.000000000 -0500
+++ linux-2.6.17.i686.patch11.4/security/selinux/xfrm.c	2006-07-07 18:34:37.000000000 -0500
@@ -212,8 +212,6 @@ static int selinux_xfrm_sec_ctx_alloc(st
	if (!uctx)
		goto not_from_user;

-	BUG_ON(!uctx);
-
	if (uctx->ctx_doi != XFRM_SC_ALG_SELINUX)
		return -EINVAL;

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]